In the WLAN environment, the wireless client first associates itself to
a wireless Access Point (AP). Based on the IP address range it receives from
the wireless connection, the VPN Client installed on the wireless automatically
launches a VPN connection request to the corresponding VPN Concentrator on
site. The IPSec VPN connection is then used in order to secure the wireless
802.11x traffic. Without the successful establishment of the Cisco VPN
connection, the wireless clients have no access to the network resources.

This sample configuration shows the configuration of the VPN Client in
order to enable the autoinitiation feature.

The information in this document is based on these software and
hardware versions:

Cisco VPN Client version 4.x

Cisco VPN 3000 Concentrator version 3.6

Cisco Aironet 340 series Access Point

Cisco Aironet 350 series wireless LAN adapter (version
5.0.1)

The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.

Note: In this example, Cisco Network Registrar is used as a Dynamic Host
Configuration Protocol (DHCP) server in order to provide IP addresses to both
wireless clients and VPN Clients.

In this example, based on which site the user roams into, the wireless
client automatically launches either one of the two VPN connections (namely
SJWireless or RTPWireless) that are pre-defined in the VPN dialer. More
specifically, if the wireless user gets an IP address in the range of
200.1.1.0/24 from the wireless association to the SJ AP, it launches the
SJWireless connection from the VPN dialer. If it gets an IP address in the
range of 150.1.1.0/24 from the wireless association to the RTP AP, it launches
the RTPWireless connection from the VPN dialer.

In this section, the VPN connections are first configured under the VPN
dialer, then the vpnclient.ini file is edited to add the autoinitiation
configuration. Once these steps are finished on one VPN Client, the generated
VPN profiles (.pcf files) and configured vpnclient.ini can be packaged, along
with the VPN Client image, in order to distribute to the end users. The VPN
connection launch is transparent to end users after VPN Client
installation.

After steps 1 - 3 are complete on one VPN Client, the vpnclient.ini
and the VPN connection profiles (.pcf) can be collected and distributed to the
end users in the installation package. Refer to
VPN
Client Administrator Guide, Release 3.6 for information on how to
preconfigure the VPN Clients for remote users.

Cisco VPN 3000 Concentrator Configuration

Complete these configuration steps:

On VPN 3000 Concentrators, the VPN groups need to be configured to
establish an IPSec connection with the VPN Client. In the example, the wireless
users can connect to different VPN Concentrators based on the site in which
they roam. Here, only the important configuration tasks on the SJ VPN
Concentrator are highlighted. A VPN group called SJVPNusers,
which matches the VPN group name on the client, is created.

Choose Configuration > User Management >
Groups and choose SJVPNusers from the Current Group
listing. Select Modify Group from the Actions option if the
group is already created, or Add Group and then Modify
Group if the group must be created.

Click the Identity tab.

The Identity Parameters window appears. Verify that the information
displayed in this window is correct for your
configuration.

Click the General tab and then check the IPSec box
for the Tunneling Protocols attribute.

Click the IPSec tab, then specify the IPSec security association
(SA) and the Authentication method attribute with the drop-down menus and check
boxes provided.

In this case, the VPN users are defined locally on the VPN 3000
Concentrator, so the authentication method is
Internal.

In this case, the VPN Client gets an IP address from a DHCP server
during IKE negotiation, so the Use DHCP option is checked. Click
Apply.

Use the DHCP server configuration window in order to set up the
DHCP server parameters, and click Save in order to save the
settings.

As mentioned, one DHCP server behind the VPN 3000 Concentrator is
used for both wireless connections and VPN connections. For wireless
connections, the concentrator serves as a DHCP relay agent to relay the DHCP
message between the wireless AP and DHCP server.

Complete these steps in order to verify the autoinitiation feature in
the WLAN environment:

Insert the wireless LAN adapter into the PC, and wait for the
association to the wireless AP.

In order to verify the wireless association, start the Aironet
Client Utility software and check the bottom of the Aironet Client window. The
wireless client shown in the figure is able to associate to the wireless AP
whose IP address is 200.1.1.2.

Once the wireless association is complete, the VPN Client
automatically launches a connection based on the IP address received from the
wireless connection. In this case, the wireless client receives 200.1.1.52 from
the wireless AP, and the VPN Client launches the SJWireless Connection based on
the configuration in vpnclient.ini.

Once the VPN connection is established, the client is able to
access the network resources under the protection of the IPSec VPN secure
services, as shown.

This section shows how to check the VPN Client event log in order to
verify that autoinitiation proceeds properly.

Open the Cisco VPN Client log viewer and you see information similar to
this during the autoinitiation. As you can see, the VPN Client receives the
200.1.1.52 IP address from the wireless association, which falls into the
200.1.1.0/24 network list defined in vpnclient.ini. The VPN Client then starts
the SJWireless connection accordingly. During the IKE negotiation, the Cisco
VPN Client receives an IP address of 50.1.1.8. It uses this IP address as the
source IP to access the internal network behind the Cisco VPN 3000
Concentrator.